How to Process Form Results with PHP and a Webhook

In this tutorial, we’ll show you how to process the data submitted when a user fills out a form with PHP.

About Webhooks

A webhook is computing code that executes on your website or on the cloud whenever a form is submitted. FormSmarts triggers the code’s execution by sending an HTTP request to a callback URL you’ve set up. The code receives the form data from the request, allowing you to perform useful actions with it.

Webhook Example in PHP

The code below shows how to process a webhook in PHP. We've also created more complete webhook examples taking advantage of the FormSmarts API & Webhook Client (Python): 


<?php
// parse raw POST data
$form = json_decode(file_get_contents("php://input"));

print($form->{'api_version'});
print($form->{'form_name'});
print($form->{'fs_ref_num'});
print($form->{'api_date'});

// get the list of fields in the order they appear on the form
$fields = $form->{'fields'};

// iterate over fields
foreach($fields as $field) {
  print($field->{'field_name'});
  print($field->{'field_value'});
  // form attachments have additional properties (but field_value is empty)
  if($field->{'field_datatype'} == 'attachment') print($field->{'attachment_url'});
}

// print data type of first field
print($fields[0]->{'field_datatype'});

// print payment information, if applicable
if(array_key_exists('payment', $form)) {
  $payment = $form->{'payment'};
  print($payment->{'currency'});
  print($payment->{'amount'});
  print($payment->{'processor_name'});
  print($payment->{'transaction_id'});
}

// print information passed to the context parameter, if available
if(array_key_exists('form_context', $form)) {
  print($form->{'form_context'}->{'label'});
  print($form->{'form_context'}->{'value'});
}
?>

Webhook Authentication

Before taking any actions based on the data received, you should always authenticate the webhook message to verify that the request genuinely originates from FormSmarts.

How to Authenticate a Webhook Message

Webhook callbacks are digitally signed with a JSON Web Token (JWT) token. You can easily verify a request with the Webhook Authenticator for Python, the Webhook Authenticator for Node.js, a PHP module in as shown here, or a JWT libray in any other language.

FormSmarts webhook authentication relies on your Webhook Key. You will find your Webhook Key in the Security Settings of your account. Your Webhook Key is secret, don't share it with anyone.

Complete Example with Authentication

Let's now revisit the example above and add message authentication.

Downloads

You can download a copy of the PHP source for this example below. Don't forget to add your account number and Webhook Key as discussed next.

FormSmarts authenticates webhook requests with a JSON Web Token (JWT). We can easily verify requests with a third-party PHP module. For this example, we use this JWT module.

The Code

First edit formsmarts_webhook_example_auth_v2_config.php and paste your FormSmarts account number and Webhook Key: 

   // Paste your Webhook Key below
   private $formsmarts_secret_key = "m9DwEcCqDZznQ5UI10AqciRWybRkdNgwB1qEhV8h93KTEcO846jqt1N9pSeU4OkN";

The callback script (FormSmarts_Webhook_Example.php) now becomes: 

<?php
declare(strict_types=1);

use Lcobucci\JWT\Encoding\CannotDecodeContent;
use Lcobucci\JWT\Encoding\JoseEncoder;
use Lcobucci\JWT\Token\InvalidTokenStructure;
use Lcobucci\JWT\Token\Parser;
use Lcobucci\JWT\Token\UnsupportedHeaderFound;
use Lcobucci\JWT\UnencryptedToken;

require 'vendor/autoload.php';
require_once("formsmarts_webhook_example_auth_v2_config.php");

$parser = new Parser(new JoseEncoder());

// Get Authorization header

if (! isset($_SERVER["HTTP_AUTHORIZATION"])) {
     header("HTTP/1.1 401 Unauthorized");
     fwrite(STDOUT, "Authorization header missing.");
     die();
}
list($scheme, $token) = explode(" ", $_SERVER["HTTP_AUTHORIZATION"], 2);
if (strcasecmp($type, "Bearer") != 0) {
     header("HTTP/1.1 401 Unauthorized");
     fwrite(STDOUT, "Invalid Authorization header: missing Bearer token.");
     die();
}

// Verify webhook request was sent by FormSmarts

try {
    $token = $parser->parse($token);
} catch (CannotDecodeContent | InvalidTokenStructure | UnsupportedHeaderFound $e) {
     header("HTTP/1.1 401 Unauthorized");
     fwrite(STDOUT, "Invalid Authorization header: invalid Bearer token.");
     die();
}

// We've established the request is really originating from FormSmarts.
// We can now start to do something useful...
// Note: Do NOT insert your own code before this line!

// Log file for demonstration & debugging
$fh = fopen('/tmp/formsmarts_webhook_call.log', 'a');

$form = json_decode(file_get_contents("php://input"));
fwrite($fh, $form->{'api_version'});
fwrite($fh, $form->{'form_name'});
fwrite($fh, $form->{'fs_ref_num'});
fwrite($fh, $form->{'api_date'});

$fields = $form->{'fields'};

// iterate over all fields

foreach($fields as $field) {
  fwrite($fh, $field->{'field_name'});
  fwrite($fh, $field->{'field_value'});
  if($field->{'field_datatype'} == 'attachment') {
    fwrite($fh, $field->{'attachment_url'});
    fwrite($fh, $field->{'attachment_filename'});
  }
}

// print value ID of first field

fwrite($fh, $fields[2]->{'field_datatype'});


// print payment information, if applicable
if(array_key_exists('payment', $form)) {
  $payment = $form->{'payment'};
  fwrite($fh, $payment->{'currency'});
  fwrite($fh, $payment->{'amount'});
  fwrite($fh, $payment->{'processor_name'});
  fwrite($fh, $payment->{'processor_txn_id'});
}


// print context info, if available.

if(array_key_exists('form_context', $form)) {
  fwrite($fh, $form->{'form_context'}->{'formsmarts_ctx_label'});
  fwrite($fh, $form->{'form_context'}->{'formsmarts_ctx_value'});
}

fclose($fh);
?>

Set Up the Webhook on FormSmarts

Follow the instructions in the webhook documentation to register the callback URL for the form you've created earlier.